ci: add repo hygiene and verification workflow

2026-03-07 14:44:54 +00:00 · 2026-03-07 14:44:54 +00:00 · a17424f0cc
commit a17424f0cc
parent d2b5c7e668
2 changed files with 120 additions and 12 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,93 @@
 name: ci
 on:
  pull_request:
  push:
    branches:
      - main
 permissions:
  contents: read
 concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  lint:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v6.0.2
      - name: Setup Go
        uses: actions/setup-go@v6.3.0
        with:
          go-version-file: go.mod
          cache: true
      - name: Lint
        uses: golangci/golangci-lint-action@v9.2.0
        with:
          version: v2.11.1
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    steps:
      - name: Checkout
        uses: actions/checkout@v6.0.2
      - name: Setup Go
        uses: actions/setup-go@v6.3.0
        with:
          go-version-file: go.mod
          cache: true
      - name: Test with coverage
        run: go test ./... -coverprofile=coverage.out
      - name: Enforce coverage floor
        run: |
          total="$(go tool cover -func=coverage.out | awk '/^total:/ { sub(/%$/, "", $3); print $3 }')"
          awk -v total="$total" 'BEGIN {
            if (total == "") {
              print "missing coverage total"
              exit 1
            }
            if (total + 0 < 80.0) {
              printf("coverage %.1f%% is below 80%%\n", total + 0)
              exit 1
            }
            printf("coverage %.1f%%\n", total + 0)
          }'
      - name: Build
        run: go build ./cmd/discrawl
  secrets:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v6.0.2
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v6.3.0
        with:
          go-version-file: go.mod
          cache: true
      - name: Install gitleaks
        run: go install github.com/zricethezav/gitleaks/v8@v8.30.0
      - name: Scan git history
        run: |
          "$(go env GOPATH)/bin/gitleaks" git --no-banner --redact
      - name: Scan working tree
        run: |
          "$(go env GOPATH)/bin/gitleaks" dir . --no-banner --redact
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,4 @@
-# If you prefer the allow list template instead of the deny list, see community template:
+# Go binaries and plugins
 # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
 #
 # Binaries for programs and plugins
 *.exe
 *.exe~
 *.dll
@ -11,22 +8,40 @@
 # Test binary, built with `go test -c`
 *.test
-# Code coverage profiles and other test artifacts
+# Coverage and test artifacts
 *.out
 coverage.out
 coverage.*
 *.coverprofile
 profile.cov
-# Dependency directories (remove the comment below to include it)
+# Dependency directories
 # vendor/
-# Go workspace file
+# Go workspace files
 go.work
 go.work.sum
-# env file
+# Local runtime data
-.env
+.discrawl/
 *.db
 *.db-*
 *.sqlite
 *.sqlite-*
 *.sqlite3
 *.sqlite3-*
-# Editor/IDE
+# Secrets and local env
-# .idea/
+.env
-# .vscode/
+.env.*
 .direnv/
 # Build outputs
 /discrawl
 bin/
 dist/
 # Editor / OS noise
 .DS_Store
 .idea/
 .vscode/